Apache :: Windows directory permissions

paul.ohm · Joined: 18 Sep 2008 Posts: 5

I am trying to tighten the security with Apache running on my web server (also called Jailing apache). Going on the recommendations of many, I have created a separate user for the httpd service of Apache. I have prohibited local and network login via group policy for this user (named "apache", a member of the "users" group). Most people say that I should completely deny access to all local drives, and then specifically allow read/execute access to the apache software folder.

I have apache, mysql, and php installed in a folder on my E:\ partition. I have my doc root in a folder on my D:\ partition.

So far, I have Denied full control (using Properties -> Security -> Advanced and checked Replace permission entries on child objects to my C, D, and E partitions. I then went into my E: drive to the Apache folder and unchecked "Allow inheritable permissions from the parent..." so that I can make specific permissions. I then allow the following permissions under Properties -> Security -> Advanced: (Traverse Folder/Execute file, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions)
The rest is specifically denied. I check "replace permission entries on child objects"

I then repeat this process for the "logs" folder except I also allow the writing attributes.

However, when I go to start the service, it doesn't let me and tells me to refer to the Event viewer, where there is no entry. I know this is a permissions issue, because if I grant the apache user full control to everything on the drive, it starts fine.

I have tried messing with the permissions, but I can't seem to get the service to start while denying the user the ability to see what is on the drive (read and execute). I know it is possible, because it is recommended to do this by so many, but I must be messing up somewhere.

Can anyone help me with this?

glsmith

Deny seems to override anything below.
I do not deny Apache, I just do not allow Apache by ridding the system in places of "Everyone" .. one can also just give "Everyone" read-only permissions all throughout ... or directlory listing only .. even less than read-only yet still holds the "Everyone" in place

paul.ohm · Joined: 18 Sep 2008 Posts: 5

After removing "Everyone" and "Authenticated users" permissions from the C: and D: drives, and getting rid of the deny perms, just not explicitly permitting anything, and then giving "apache" the correct perms on the E: where apache is installed, the service was still unable to start, saying that the service or control failed to start in a timely fashion.

However, the moment that I give "apache" read and execute perms for C: (boot drive) the service can start just fine. I don't understand why it seems that the apache user needs access to the C: drive when apache is installed on E:

I obviously don't want the apache user (or "everyone" group) to have read and execute of C: (or D: for that matter), I would only like it to have permission to read and execute in the Apache software directory (on E Smile

. Am I doing something wrong for this not to be working?

Thanks

glsmith

odd .. I have Zero everyone permission on C .. Apache is on F
check both Apps and System sections in event log for clues.

actually it's not odd, check your config for anything pointing to C

Delete error log (make copy first if you need to) and see if Apache can write a new one. If it cannot write a log file, or it's pid file, then there will be problems.

A module might be dependent on something in %SysDir%
Depending on where certain files are located Apache might be dependent on something in %WinDir% or %SysDir% as well.

I can think of one examlpe off top of head, libeay32 & ssleay32.dll, if you are running SSL and those files are not in Apache's /bin directory, you are going to be dependent on their other possible location of %SysDir%

paul.ohm · Joined: 18 Sep 2008 Posts: 5

well I tried removing the logs from the apache installation directory on E:, and leaving the apache user with permissions on C just so that the service would start and write some logs, and it wrote the logs to the correct directory (on E Smile

so I know it isn't trying to write logs to C:

These are the mods I am running:

LoadModule alias_module modules/mod_alias.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule dir_module modules/mod_dir.so
LoadModule headers_module modules/mod_headers.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule unique_id_module modules/mod_unique_id.so

I don't know how to figure out which of them would be trying to access C.

I am also using PHP/MySQL, if one of them were trying to access C, would that have anything to do with the Apache service not starting? PHP/MySQL are installed on E also, and the apache conf points to E:\PHP for the php.ini so that's not the prob...I can't seem to find anything else in httpd.conf that is referencing C or %sys% or %windir%

glsmith

I think you may just have to go about it in reverse. One by one take Everyone away from things. At some point you will know exactly what it is wanting. It may only need read access as well so when you find the point which tips the scales, try putting it back as read only first.

You can also do things like remove everyone from C root but allow Apache read-only to win and sys folders.

It took me a couple tries to get it right the first time, especially if you have other users using shares on the server. I just redid my server from ground up and didn't note permissions before I started so I am sure I will find something wrong somewhere down the line that i did this time, just haven't yet.

paul.ohm · Joined: 18 Sep 2008 Posts: 5

So I narrowed down the search and found that a few specific dll files are the ones causing the problem.

Under the system32 directory:
wshtcpip.dll
wsock32.dll
ws2_32.dll
ws2help.dll
ws03res.dll
mswsock.dll
dnsapi.dll

under the \windows\winSxS directory:
comctl32.dll

Why oh why are these files needed by apache? How am I the only one that has run into this problem? it seems like everyone else doesn't need to give the apache user any access at all to C, but if I do not give access to these specific files, the service will not start. I used the binary of Apache to install it, could that be the problem? does it install files all over the place when you use the binary? This has been such a pain...any help is greatly appreciated.

glsmith

I do not know. One thing I do know is I do not use mod_isapi and I do not have a ws03res.dll in System32

Is this Vista not that it matters much.

paul.ohm · Joined: 18 Sep 2008 Posts: 5

This is a poweredge 2900III running Windows Server 2003 standard. I've been trying to research some of these files, and can't seem to figure out what connection they have with apache at all...I will look more into whether we need mod_isapi, but it seems as though the installation of these modules must have put some files in the system drive, although I have no idea why as I installed Apache on a different partition...